Conntrack Control for Docker

2026-04-20 03:54:09 +03:00 · 2026-04-17 19:06:18 +03:00
parent 3ca3e8ff0e
commit 093faed0c2
7 changed files with 152 additions and 35 deletions
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -343,6 +343,10 @@ impl ProxyConfig {
        let network_table = parsed_toml
            .get("network")
            .and_then(|value| value.as_table());
+        let server_table = parsed_toml.get("server").and_then(|value| value.as_table());
+        let conntrack_control_table = server_table
+            .and_then(|table| table.get("conntrack_control"))
+            .and_then(|value| value.as_table());
        let update_every_is_explicit = general_table
            .map(|table| table.contains_key("update_every"))
            .unwrap_or(false);
@@ -372,10 +376,17 @@ impl ProxyConfig {
        let stun_servers_is_explicit = network_table
            .map(|table| table.contains_key("stun_servers"))
            .unwrap_or(false);
+        let inline_conntrack_control_is_explicit = conntrack_control_table
+            .map(|table| table.contains_key("inline_conntrack_control"))
+            .unwrap_or(false);

        let mut config: ProxyConfig = parsed_toml
            .try_into()
            .map_err(|e| ProxyError::Config(e.to_string()))?;
+        config
+            .server
+            .conntrack_control
+            .inline_conntrack_control_explicit = inline_conntrack_control_is_explicit;

        if !update_every_is_explicit && (legacy_secret_is_explicit || legacy_config_is_explicit) {
            config.general.update_every = None;
@@ -1881,6 +1892,35 @@ mod tests {
        );
    }

+    #[test]
+    fn conntrack_inline_explicit_flag_is_false_when_omitted() {
+        let cfg = load_config_from_temp_toml(
+            r#"
+            [general]
+            [network]
+            [server]
+            [server.conntrack_control]
+            [access]
+            "#,
+        );
+        assert!(!cfg.server.conntrack_control.inline_conntrack_control_explicit);
+    }
+
+    #[test]
+    fn conntrack_inline_explicit_flag_is_true_when_present() {
+        let cfg = load_config_from_temp_toml(
+            r#"
+            [general]
+            [network]
+            [server]
+            [server.conntrack_control]
+            inline_conntrack_control = true
+            [access]
+            "#,
+        );
+        assert!(cfg.server.conntrack_control.inline_conntrack_control_explicit);
+    }
+
    #[test]
    fn unknown_sni_action_parses_and_defaults_to_drop() {
        let cfg_default: ProxyConfig = toml::from_str(
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1329,6 +1329,10 @@ pub struct ConntrackControlConfig {
    #[serde(default = "default_conntrack_control_enabled")]
    pub inline_conntrack_control: bool,

+    /// Tracks whether inline_conntrack_control was explicitly set in config.
+    #[serde(skip)]
+    pub inline_conntrack_control_explicit: bool,
+
    /// Conntrack mode for listener ingress traffic.
    #[serde(default)]
    pub mode: ConntrackMode,
@@ -1363,6 +1367,7 @@ impl Default for ConntrackControlConfig {
    fn default() -> Self {
        Self {
            inline_conntrack_control: default_conntrack_control_enabled(),
+            inline_conntrack_control_explicit: false,
            mode: ConntrackMode::default(),
            backend: ConntrackBackend::default(),
            profile: ConntrackPressureProfile::default(),